申請Let's Encrypt萬用字元SSL證書

環境

系統：CentOS 7.4

安裝Certbot

• 安裝

  # wget https://dl.eff.org/certbot-auto
  # chmod a+x certbot-auto
  # mv certbot-auto /usr/local/bin/
  

申請證書

• 申請

  # certbot-auto certonly -d '*.yourdomain.com' --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
  

  注：yourdomain.com替換為你自己的域名

  Enter email address (used for urgent renewal and security notices) (Enter 'c' to
  cancel): youremail@qq.com
  -------------------------------------------------------------------------------
  (A)gree/(C)ancel: A
  -------------------------------------------------------------------------------
  (Y)es/(N)o: N
  -------------------------------------------------------------------------------
  Are you OK with your IP being logged?
  (Y)es/(N)o: Y
  -------------------------------------------------------------------------------
  Please deploy a DNS TXT record under the name
  _acme-challenge.yourdomain.com with the following value:
  
  u5iIS3JKCUpFEjL0_F9F0LE12345678UgDcOISEtx8o
  
  Before continuing, verify the record is deployed.
  -------------------------------------------------------------------------------
  Press Enter to Continue
  

• 新增DNS記錄
  記錄型別：TXT
  主機記錄：_acme-challenge.yourdomain.com，具體參考上一步
  記錄值：u5iIS3JKCUpFEjL0_F9F0LE12345678UgDcOISEtx8o，具體參考上一步

• 驗證DNS記錄

  # dig -t txt _acme-challenge.yourdomain.com
  

• 按回車，申請證書結束

其他

• 備份證書

  # mkdir /data/cert/
  # cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /data/cert/yourdomain.com.pem.20180510
  # cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /data/cert/yourdomain.com.key.20180510
  

• 刪除DNS記錄

更新證書

步驟同申請證書